Localized pin management with reader verification and no disclosure

ABSTRACT

Mechanisms are provided to manage personal identification numbers and data objects residing in a communication system. In particular, solutions are described which allow a PIN associated with a data object to be stored with the data object for later authentication and verification purposes without disclosing the pin. In at least one embodiment, an operation is performed wherein a signature or digest of a data object is altered utilizing a user&#39;s entered pin. The altered signature is then stored. Upon verification and authentication, an operation is performed on the stored altered signature and the result is compared to a signature of the data object. If both signatures match, then the PIN can be used to authenticate and verify the data object.

FIELD OF THE INVENTION

The present invention is generally directed toward the management and verification of personal identification numbers.

BACKGROUND

Some access control systems employ older or less technically-sophisticated reader devices. Indeed, there is a large installed base of access control readers that are only equipped to read data from an access credential. These readers are sufficient to analyze the authenticity of an access credential (e.g., a thing carried by a user), but the readers and the access credentials are not natively equipped to analyze and verify a data object residing on a credential or the reader.

A user is often required to present their access credential to the reader and then enter a password or Personal Identification Number (PIN) code into the reader or a computing device associated with the reader. The computing device then transfers the user-entered password or PIN code to the reader via a dedicated communication link (often a wired connection). Providing a computing device in combination with the reader increases the level of security because the user that presents the access credential is now also required to prove something they know in addition to proving that they are caring a valid access credential. This is often referred to as dual-factor or two factor authentication.

One problem with this approach is that a keyboard logger or a similar snooping device could be installed to intercept the password/PIN entry process at the computing device or somewhere between the computing device and the reader. This potentially exposes the user's password/PIN to a malicious attacker. Additionally, even though many readers and credentials are improving, readers and credentials do not have the ability to manage many data objects stored on a single access credential or on a single reader. Likewise, many readers and credentials are not equipped to keep an entered pin, associated with a data object, inaccessible when many data objects reside on an access credential and/or reader.

One solution would be to maintain a master list containing valid PIN numbers for current data objects, and compare the valid PIN numbers to those received from a reader. Unfortunately, such a solution presents somewhat of a security risk as a master list containing pins and data objects could be considered a honey pot of information and would likely be the target of malicious hackers attempting to gain access to data objects or access physical objects protected by the data objects.

SUMMARY

It is, therefore, one aspect of the present invention to provide a system and method whereby both a PIN associated with a data object and the data object itself, can be provided on a device, such as a credential, reader, or otherwise, without disclosing the PIN to other systems (e.g., it can be verified without previous knowledge of the PIN). That is, the system does not disclose the PIN and does not store the PIN in an identifiable manner. Further, such an embodiment would also present a system for authenticating and verifying a data object based on a PIN provided from a user. Thus, the current disclosure provides efficient and easily implemented mechanisms whereby a user can limit access to a data object utilizing a PIN set by the user. Additionally, after the user has set the PIN associated with the data object, if the data object is later compromised, either maliciously or do in part to transmission or storage errors, such compromise can be detected the next time a user enters a PIN attempting to access the stored data object.

In accordance with at least some embodiments of the present invention, a method is provided that generally comprises: creating a first representation of a data object; obtaining a personal identification number; altering the first representation of the data object using at least a portion of the obtained personal identification number to create a second representation of the data object; and storing the second representation of the data object.

Additionally, in accordance with at least some embodiments of the present invention, an access control system is provided that includes memory including instructions in the form of machine-readable code, the instructions including at least a personal identification number management module, a processor, configured to execute the instructions stored in memory, wherein the personal identification number management module is configured to receive a first representation of a data object, obtain a personal identification number, and alter the first representation of the data object using at least a portion of the obtained personal identification number to create a second representation of the data object, and store the second representation of the data object.

Further yet, it is another aspect of the current invention to provide a method that generally comprises: obtaining a personal identification number; creating a first representation of a data object using at least a portion of the obtained personal identification number; storing the first representation of the data object; retrieving the first representation of the data object; obtaining a second personal identification number; creating a second representation of a data object using at least a portion of the obtained second personal identification number; altering the second representation of the data object using at least a portion of the obtained second personal identification number to create a third representation of the data object; determining whether the first personal identification number matches the second personal identification number by comparing the first representation of the data object to the second representation of the data object; and implementing an action based on determining whether the first personal identification number matches the second personal identification number.

The Summary is neither intended nor should it be construed as being representative of the full extent and scope of the present invention. The present invention is set forth in various levels of detail and the Summary as well as in the attached drawings and in the detailed description of the invention and no limitation as to the scope of the present invention is intended by either the inclusion or non inclusion of elements, components, etc. in the Summary. Additional aspects of the present invention will become more readily apparent from the detailed description, particularly when taken together with the drawings.

The phrases “at least one”, “one or more”, and “and/or” are open-ended expressions that are both conjunctive and disjunctive in operation. For example, each of the expressions “at least one of A, B and C”, “at least one of A, B, or C”, “one or more of A, B, and C”, “one or more of A, B, or C” and “A, B, and/or C” means A alone, B alone, C alone, A and B together, A and C together, B and C together, or A, B and C together.

The term “a” or “an” entity refers to one or more of that entity. As such, the terms “a” (or “an”), “one or more” and “at least one” can be used interchangeably herein. It is also to be noted that the terms “comprising”, “including”, and “having” can be used interchangeably.

The term “automatic” and variations thereof, as used herein, refers to any process or operation done without material human input when the process or operation is performed. However, a process or operation can be automatic, even though performance of the process or operation uses material or immaterial human input, if the input is received before performance of the process or operation. Human input is deemed to be material if such input influences how the process or operation will be performed. Human input that consents to the performance of the process or operation is not deemed to be “material”.

The term “computer-readable medium” as used herein refers to any tangible storage that participates in providing instructions to a processor for execution. Such a medium may take many forms, including but not limited to, non-volatile media, volatile media, and transmission media. Non-volatile media includes, for example, NVRAM, or magnetic or optical disks. Volatile media includes dynamic memory, such as main memory. Common forms of computer-readable media include, for example, a floppy disk, a flexible disk, hard disk, magnetic tape, or any other magnetic medium, magneto-optical medium, a CD-ROM, any other optical medium, punch cards, paper tape, any other physical medium with patterns of holes, a RAM, a PROM, and EPROM, a FLASH-EPROM, a solid state medium like a memory card, any other memory chip or cartridge, or any other medium from which a computer can read. When the computer-readable media is configured as a database, it is to be understood that the database may be any type of database, such as relational, hierarchical, object-oriented, and/or the like. Accordingly, the invention is considered to include a tangible storage medium and prior art-recognized equivalents and successor media, in which the software implementations of the present invention are stored.

The terms “determine”, “calculate”, and “compute,” and variations thereof, as used herein, are used interchangeably and include any type of methodology, process, mathematical operation or technique.

The term “module” as used herein refers to any known or later developed hardware, software, firmware, artificial intelligence, fuzzy logic, or combination of hardware and software that is capable of performing the functionality associated with that element. Also, while the invention is described in terms of exemplary embodiments, it should be appreciated that individual aspects of the invention can be separately claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is described in conjunction with the appended figures:

FIG. 1 depicts a first communication system configuration in accordance with embodiments of the present invention;

FIG. 2 is a block diagram depicting a reader/writer in accordance with embodiments of the present invention;

FIG. 3 is a block diagram depicting details of a credential in accordance with embodiments of the present invention;

FIG. 4 is a block diagram depicting details of a memory in accordance with embodiments of the present invention;

FIG. 5 is a flow chart depicting details of at least one embodiment in accordance with embodiments of the present invention;

FIG. 6 is a flow chart depicting details of at least a second embodiment in accordance with embodiments of the present invention;

FIG. 7 is a flow chart depicting details of a PIN setting method in accordance with embodiments of the present invention; and

FIG. 8 is a flow chart depicting details of a PIN authentication process executed in accordance with embodiments of the present invention.

DETAILED DESCRIPTION Copyright and Legal Notices

A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all copyrights whatsoever.

The ensuing description provides embodiments only, and is not intended to limit the scope, applicability, or configuration of the claims. Rather, the ensuing description will provide those skilled in the art with an enabling description for implementing the embodiments. It being understood that various changes may be made in the function and arrangement of elements without departing from the spirit and scope of the appended claims.

Referring initially to FIG. 1, details of a communication system 100 are depicted in accordance with at least some embodiments of the present disclosure. The communication system 100 generally includes one or more users 104, one or more credentials 108, and one or more reader/writers 116. The credentials 108 may be held by user 104 and may correspond to any type of portable access credential such as a Radio Frequency Identification (RFID) card (e.g., operating at 13.56 MHz and/or 125 kHz), an Integrated Circuit (IC) card, a smart card, a key fob, a passport, a credit card, a debit card, a PDA, a tag, a Near Field Communications (NFC) enabled mobile communication device, a portable computer, and the like. As such, credential 108 may be a portable device that is used to complete transactions with reader/writer 116. An example of a credential 108 is an RFID smartcard having data stored thereon allowing a user 104 access to an asset protected by a reader/writer 116. Alternatively, or in addition, credential 108 may be a portable device that is used to store, transport, and/or retain data objects, the data objects being accessible to or accessible by the reader/writer 116. For example, credential 108 may be an RFID smartcard storing data thereon, the stored data being useful to the user 104 and/or the reader/writer 116 as part of communication system 100. That is, an asset protected by reader/writer 116 may be a physical asset or it may be a data asset, such as a data object, stored on the credential or elsewhere. Likewise, reader/writer 116 may protect a physical asset and a data asset. Additionally, the data asset may protect a physical asset.

Referring again to FIG. 1, reader/writer 116 may be any device capable of reading from or writing to credential 108. For example, reader/writer 116 may communicate with credential 108 over communication medium 124 using a variety of communication protocols; reader/writer 116 may be contactless and/or contact-based. In one example, credential 108 may communicate with reader/writer 116 with RF signals, thereby allowing contactless communication. In other embodiments, credential 108 may be swiped, inserted, or otherwise contacted with the reader/writer 116.

In some embodiments, reader/writer 116 may be connected to control panel 120 via a communications network. In other embodiments, reader/writer 116 may be integrated with control panel 120, though such integration is not required. Reader/writer 116 may facilitate the transfer of data from credential 108 to control panel 120, and/or reader/writer 116 may facilitate the transfer of data from control panel 120 to credential 108. In either configuration, reader/writer 116 may act as a conduit between control panel 120 and credential 108 and also implement actions consistent with decisions made by the control panel 120 and/or the credential 108. Such decisions may be access control based decisions and/or data object authentication based decisions.

In other embodiments, control panel 120 may also implement access control based decisions and/or data object authentication and verification based decisions on information obtained from credential 108 via reader/writer 116. Control panel 120 may communicate with reader/writer via communication medium 128. Communication medium 128 may be wireless or wired. For example, as mentioned above, control panel 120 may be integrated with reader/writer 116 such that reader/writer 116 and control panel 120 communicate using a common communication bus. Alternatively, or in addition, reader/writer 116 may be an add-on accessory to control panel 120, or vice versa. Further, reader/writer 116 and control panel 120 may communicate using a wireless communication medium, such as RF, optical, or otherwise, and may be situated in physically distinct or separate locations.

Control panel 120 may further be in communication with a database containing access control information. The database may reside within control panel 120 or may be provided as an integrated or otherwise standalone database. Alternatively, or in addition, control panel 120 may be in communication with a database or storage location containing data or data objects maintained on, transported by, and/or for use with credential 108. For example, and as described further below, credential 108 may store data objects comprising processor executable instructions that may be replaced, updated, or overwritten with other processor executable instructions that are stored in the database. Further, the data objects stored on credential 108 may be executed to effectuate an intended result.

The communication system 100 may further include a PIN pad 112. PIN pad 112 may be any device operable to receive a personal identification number, or pin, from a user. Although a PIN tends to be associated with a secret number shared between a user and a system used to authenticate a user to the system, a PIN is not so limited to being just a number. As used herein, PIN can be anything such as a password or pass code; that is, a PIN may be any combination of numbers, letters, symbols, sequences, movements, gestures, placements, or the like used to authenticate a user. PIN pad 112 may then provide reader/writer 116 with the entered PIN via communication medium 132. Alternatively, or in addition, PIN pad 112 may be in communication with control panel 120 and provide control panel 120 with the entered PIN directly. PIN pad 112 may further encrypt or obfuscate the PIN entered by the user prior to sending the PIN to reader/writer 116 and/or control panel 120; such encryption or obfuscation may be performed in a manner as described below.

Generally, a user enters a PIN as part of an authentication process. For example, in authentication scenarios where two pieces of information are required to authenticate a user, user 104 may present credential 108 to reader/writer 116 as one required piece of information. User 104 may then enter a PIN at PIN pad 112 as a second piece of required information. Reader/writer 116 and/or control panel 120 then determines, based on the credential presented and the PIN entered, whether or not user 104 is authenticated. Alternatively, or in addition, reader/writer 116 or control panel 120 determines, based on the credential presented and the PIN entered, whether a data object is authenticated. For example, in instances where a data object resides on a credential, a described further below, the credential and a PIN may provide the necessary information to authenticate the data object.

In some embodiments and consistent with the present disclosure, PIN pad 112 is not provided as part of communication system 100. In cases where a physical PIN pad 112 is not provided, a PIN can be provided by other means. For example, in some instances a PIN may be provided ahead of time or provided from another location. Such a PIN may have a limited effective lifespan or expire at a predetermined or random time. In other instances, user 104 can provide the PIN to communication system 100 using a mobile communication device 140, such as a laptop, mobile phone or otherwise. A user 104, using mobile communication device 140, may enter the PIN on the mobile communication device 140; mobile communication device 140 then sends the PIN to control panel 120 or reader/writer 116 using communication medium 144. Communication medium 144 may comprise Short message system (SMS), email, NFC, WiFi, RF, optical, Bluetooth, infrared, or the like and may be utilized to communicate an entered PIN to reader/writer 116 and/or control panel 120. Such a PIN may be communicated directly to reader/writer 116 or control panel 120, or may be communicated indirectly through various interconnected networks (not shown). It is further contemplated that mobile communication device 140 may run an app or application that accepts a PIN entered from a user, such as user 104, and communicates the entered PIN to reader/writer 116, control panel 120, and/or PIN pad 112.

Alternatively, or in addition, a PIN may be provided to control panel 120 or reader/writer 116 by a user other than the user in possession of a credential. For example, user 136 provides a PIN to PIN pad 112 ahead of time. Such PIN may have a limited effective lifespan or expire at a predetermined or random time. For example, user 136 may input a PIN into system 100 prior to user 104 presenting credential 108. The PIN provided by user 136 together with the credential presented by user 104 may be sufficient to authenticate user 104, user 136, and/or a data object residing on credential 108. For example, the credential presented by user 104 and the PIN entered by user 136 may be sufficient to authenticate a data object. Other combinations are also possible. In one example, user 104 presents credential 108 to reader/writer 116. User 136 can then be authenticated, or likewise can authenticate a data object. User 136 can also provide the MN using communication device 140 in a manner as described above.

Referring now to FIG. 2, details of reader/writer 116 are depicted in accordance with at least some embodiments of the present disclosure. Reader/writer 116 may include a processor 212, memory 208, clock 216, power source 220, and communication interface 204 for communicating with credential 108. As discussed above, reader/writer 116 can communicate with credential 108 utilizing communication medium 124. Alternatively, or in addition, communication interface 204 may allow mobile communication device 140 to communicate directly with reader/writer 116 and/or PIN pad 112.

Processor 212 is provided to execute instructions contained within memory 208. As such, the functionality of the reader/writer 116 is typically stored in memory 208 in the form of instructions and carried out by the processor 212 executing such instructions. Accordingly, the processor 212 may be implemented as any suitable type of microprocessor or similar type of processing chip. One example of the processor 212 may include any general-purpose programmable processor, digital signal processor (DSP) or controller for executing application programming contained within memory 208. Alternatively, or in addition, the processor 212 and memory 208 may be replaced or augmented with an application specific integrated circuit (ASIC), a programmable logic device (PLD), or a field programmable gate array (FPGA).

The memory 208 generally comprises software routines facilitating, in operation, pre-determined functionality of the reader/writer 116. The memory 208 may be implemented using various types of electronic memory generally including at least one array of non-volatile memory cells (e.g., Erasable Programmable Read Only Memory (EPROM) cells or FLASH memory cells, etc.). The memory 208 may also include at least one array of dynamic random access memory (DRAM) cells. The content of the DRAM cells may be pre-programmed and write-protected thereafter, whereas other portions of the memory may selectively be modified or erased. The memory 208 may be used for either permanent data storage or temporary data storage.

Referring now to FIG. 3, details of credential 108 are depicted in accordance with at least some embodiments of the present disclosure. Credential 108 may include memory 308, processor 312, and reader/writer interface 304. Similar to the processor included in reader/writer 116, processor 312 is provided to execute instructions contained within memory 308. Accordingly, the processor 312 may be implemented as any suitable type of microprocessor or similar type of processing chip, such as any general-purpose programmable processor, digital signal processor (DSP) or controller for executing application programming contained within memory 308. Alternatively, or in addition, the processor 312 and memory 308 may be replaced or augmented with an application specific integrated circuit (ASIC), a programmable logic device (PLD), or a field programmable gate array (FPGA).

The memory 308 generally comprises software routines facilitating, in operation, pre-determined functionality of the credential 108. The memory 308 may be implemented using various types of electronic memory generally including at least one array of non-volatile memory cells (e.g., Erasable Programmable Read Only Memory (EPROM) cells or FLASH memory cells, etc.) The memory 308 may also include at least one array of dynamic random access memory (DRAM) cells. The content of the DRAM cells may be pre-programmed and write-protected thereafter, whereas other portions of the memory may selectively be modified or erased. Memory 308 may be similar to the memory 208 and may be used for either permanent data storage or temporary data storage.

Referring now to FIG. 4, memory 208, 308 may comprise an authentication module 404, PIN management module 408, signature module 412, data object 416, and a signature of the data object 420. Authentication module 404 provides functionality to authenticate a particular data object, such as data object 412. Alternatively, or in addition, authentication module 404 may be used to authenticate a particular user, such as user 104.

Data object 416 may be any data stored in memory 208, 308 requiring authentication. For example, data object 416 may comprise an access control credential, biometric template, and/or rules or rule set for an access decision made within a communication system 100. Data object 416 may further comprise any digital content or media protected by an access control technology, such as an implementation of digital rights management (DRM) to protect audio and/or video files and other multimedia content. Data object 416 may also be an application stored on memory 208, 308, that is to be executed in some manner.

Associated with data object 416 is signature 420. Signature 420 may be any representation of digital object 416 that identifies digital object 116. For example, signature 420 may be a message digest created using signature module 412 utilizing a message digest or cryptographic hash function, such as MD5. In addition to MD5, other examples of cryptographic hash functions may include MD4, RIPEMD-160, SHA-1, SHA-256, SHA-384, SHA-512, although any cryptographic hash function that takes an input of arbitrary length and produces a message digest of fixed and/or shorter length may be used. The resulting message digest, also known as a fingerprint, hash, digital summary, checksum, or signature, may then be used to uniquely identify data object 416 and verify the integrity of data object 416.

As discussed above, signature 420 may be created using signature module 412. Signature module may take as an input data object 416, apply a cryptographic hash function such as MD5 to the input data, and produce a signature 420 representative of data object 416. The signature created by signature module 412 may then be provided to PIN management module 408 and/or authentication module 404. Signature module 412 may also digitally sign the resulting signature using a public key/private key system, such as X.509, producing a digitally signed signature; however, a digitally signed signature is not required. Alternatively, or in addition, signature module 412 may extract a digital certificate associated with data object 416.

Pin management module 408 provides the necessary functionality to manage a PIN received from a user, such as user 104, by concealing or obfuscating the received pin. Although depicted as residing in memory 208, 308, PIN management module may reside elsewhere in the system 100. PIN management module 408 may also be responsible for setting and/or storing a particular user's PIN and may further be used to verify a particular user's PIN as described further below. In addition to managing a user's pin, PIN management module, in cooperation with signature module 412 and authentication module 404, may also be used to verify the integrity of data object 416. For example, as part of the concealing or obfuscating process, a signature of data object 420 is provided to PIN management module 408. PIN management module 408 may transform or alter a signature received from signature module 416, using a one-way or two-way function, into an altered signature. The altered signature may then be stored in memory 208, 308 as altered signature 424. Alternatively, or in addition, the altered signature 424 may be stored in a designated secure memory area of memory 208, 308.

As mentioned above, PIN management module 408, in conjunction with a received PIN from a user, may alter a signature provided by signature module 412, thereby concealing or obfuscating a received pin. In some embodiments and consistent with the present disclosure, PIN management module 408 may utilize a one-way function to alter or obfuscate the received pin. Examples of one-way functions are cryptographic hash functions, keyed hash functions, and any other functions that take an input of arbitrary length and produce a message digest, also known as a fingerprint, hash, digital summary, checksum, or signature, that may be used to uniquely identify a data object. For example, the PIN management module 408 may operate on the received PIN and signature 420 utilizing a keyed hashing function, where the received PIN is used as the hash key, thereby creating an altered signature 424. As previously mentioned, altered signature 424 may be stored in memory 208, 308. Alternatively, or in addition, altered signature 424 may be stored in a secure designated portion of memory 208, 308. It should also be appreciated that the altered signature 424 may be stored in addition to storing the signature 420 or as a replacement to storing the signature 420. For instance, once the altered signature 424 is created, the altered signature 424 may be stored as a replacement for the signature 420. Furthermore, the altered signature 424 may be stored in the same memory location where the signature 420 was originally stored or it may be stored in a different memory location.

As another example, PIN management module 408 may first attach the received PIN to signature 420 prior to performing a one-way operation function, such as an MD4, RIPEMD-160, SHA-1, SHA-256, SHA-384, SHA-512 hashing function or other cryptographic hashing functions. For example, the received PIN can be prefixed, appended, or randomly inserted into signature 420. Attaching the PIN in such a manner is typically known as salting. Alternatively, or in addition, other functions, such as add, subtract, multiple, divide, and the like may be utilized to effectively alter signature 420 prior to performing the one-way operation. The same function, whether it be add or post append, must later be used during the verification process.

In some embodiments, and consistent with the present disclosure, PIN management module 408 may utilize a two-way function to alter or obfuscate the received pin. One example of a two way function is an exclusive or (XOR) operation. The PIN management module 408 may XOR the received PIN and the signature 420, thereby creating an altered signature 424. As previously mentioned, altered signature 424 may be stored in memory 208, 308. Alternatively, or in addition, altered signature 424 may be stored in a secure designated portion of memory 208, 308.

Authentication module 404 is provided to perform authentication functions with respect to any of credential 108, user 104, and data object 416. More specifically, authentication module 404 may verify the integrity of data object 416 using the altered signature 424 and a PIN 148 provided by user 104. For example, if user 104 desires to access, update, change, and/or replace data object 416 stored in memory 208, 308, prior to any access, update, change, or replacement, the integrity of data object 416 would be verified utilizing a PIN 148 provided by user 104. If the altered signature had been created using a two-way operation, such as an XOR operation, PIN management module 408 may retrieve altered signature 424. Utilizing PIN 148 provided by user 104 and altered signature 424, PIN management module 408 performs a two-way operation resulting in a recovered signature. The recovered signature is then provided to authentication module 404. At the request of authentication module 404, signature module 412 creates a signature 420 of data object 416 and provides signature 420 to authentication module. Authentication module 404 then compares the recovered signature with signature 420. If the recovered signature and signature 420 are equal or match, then authentication module 404 may make two determinations. First, authentication module 404 may determine that the integrity of data object 416 has not been compromised. That is, the data object as it existed when the altered signature was created is the same data object that exists when the recovered signature matches signature 420. Authentication module 404 may also determine that user 104 is authorized to access, update, change, or replace data object 416 since the PIN provided by user 104 correctly verified the integrity of data object 416. That is, if user 104 enters a wrong pin, the recovered signature provided by PIN management module 408 will not match the signature 420 provided by signature module 412. Only the same PIN 148 provided by user 104 will successfully verify the integrity of data object 416. Authentication module 404 may then provide the determination for use by credential 108, PIN pad 112, reader/writer 116 and/or control panel 120 such that a decision in accordance with the authentication modules decision may be made.

In instances where the altered signature had been created using a one-way operation; such as a one-way operation previously described, PIN management module 408 may retrieve altered signature 424. At the request of authentication module 404, signature module 412 creates a signature 420 of data object 416 and provides signature 420 to the PIN management module 408. Utilizing PIN 148 provided by user 104 and signature 420, PIN management module 408 performs the same one-way operation as before, resulting in an altered signature. The altered signature is then provided to authentication module 404. Authentication module 404 then compares the altered signature with altered signature 424. If the altered signature and altered signature 424 are equal or match, then authentication module 404 may make two determinations. First, authentication module 404 may determine that the integrity of data object 416 has not been compromised. That is, the data object as it existed when the altered signature was created is the same data object that exists when the recovered signature matches signature 420. Authentication module 404 may also determine that user 104 is authorized to access, update, change, or replace data object 416 since the PIN provided by user 104 correctly verified the integrity of data object 416. That is, if user 104 enters a wrong pin, the altered signature provided by PIN management module 408 will not match the altered signature 424. Only the same PIN 148 provided by user 104 will successfully verify the integrity of data object 416. Authentication module 404 may then provide the determination for use by credential 108, PIN pad 112, reader/writer 116 and/or control panel 120 such that a decision in accordance with the authentication modules decision may be made.

Referring now to FIG. 5, details of a two-way PIN concealment process and an associated authentication process are depicted in accordance with at least some embodiments of the present disclosure. The concealment of a user's pin, also known as pin-setting, and the authentication and verification of a user's pin, also known as authenticating and verifying, maybe performed as discussed below. Although details of pin-setting are described first, based on the disclosure provided herein, those of ordinary skill will understand that once a pin-setting process has occurred, the authentication and verification process may occur. Alternatively, or in addition, the authentication and verification process may occur many times after a pin-setting process has occurred. Likewise, as part of a pin-resetting process, the authentication and verification process may occur prior to a pin-setting process. Additionally, the pin-setting process and/or the authenticating and verifying may be performed at any device within the communication system 100. For example, the pin-setting process may be performed at a PIN pad 112, reader/writer 116, control panel 120, and or credential 108. Likewise, the authentication and verification may occur at a PIN pad 112, reader/writer 116, control panel 120, and or credential 108.

As previously discussed, details of a pin-setting process are described in accordance with at least some embodiments of the present disclosure. Data object 504 may be the same or similar to data object 416 and may be any data stored in memory 208, 308 requiring authentication. For example, data object 504 may comprise an access control credential, biometric template, and/or rules or rule set for an access decision made within a communication system 100. Data object 504 may further comprise any digital content or media protected by an access control technology, such as an implementation of digital rights management (DRM) to protect audio and/or video files and other multimedia content. Data object 504 may also be an application stored on memory 208, 308, that is to be executed in some manner.

As part of a pin-setting process which conceals a user's pin, a signature or digest 512 of data object 504 is created using signature module 508. Signature module 508 may be the same as or similar to signature module 412. A signature 512 of data object 504 is created and provided to PIN management module 516. PIN management module 516 may be the same as or similar to PIN management module 408 as previously discussed. As part of a pin-setting process, a PIN 520 is received from a user. PIN 520 may be provided via a traditional PIN pad, such as PIN pad 112, or may be provided by other methods as previously discussed. For example, PIN 520 may be provided by a user directly to a control panel, reader/writer, or PIN pad utilizing another communication medium. Once PIN management module 516 receives PIN 520 and signature 512, PIN management module 516 can perform a two-way operation to create altered signature 524. As previously discussed, an example of a two-way operation is an exclusive or (XOR) operation. The PIN management module 516 may XOR PIN 520 and the signature 512, thereby creating an altered signature 524. Altered signature 524 may then be stored in a memory, for example memory 528. Once the altered signature 524 is stored, a user's pin, in conjunction with a specified data object, has been set and is concealed.

In instances where a user may want to either gain access to or verify the authenticity of a data object, such as data object 504, an authentication and verification process is invoked. As part of an authentication and verification process, a PIN 532 is received from a user. PIN 532 may be provided via a traditional PIN pad, such as PIN pad 112, or may be provided by other methods as previously discussed. For example, PIN 532 may be provided by a user directly to a control panel, reader/writer, or PIN pad utilizing another communication medium. In some instances, PIN 532 and PIN 520 may be the same or match. In other instances, PIN 532 may not be the same or may not match PIN 520. Once PIN management module 516 receives PIN 532, PIN management module 516 may retrieve altered signature 524 from an altered signature 528 memory location. The PIN management module 516 may then XOR PIN 532 and the altered signature 524, thereby creating a recovered signature 536. Recovered signature 536 may then be provided to authentication module 540.

Prior to, during, or before authentication module receives recovered signature 536 from PIN management module 516, authentication module 540 may request a signature 544 from signature module 508. Signature 544 is provided in a similar to manner to that which was described previously with respect to signature module 508 and signature module 412. That is, utilizing data object 504, a signature 544 is created utilizing the same two-way operation. Authentication module 540 then compares the recovered signature 536 with signature 544. If the recovered signature 536 and signature 544 are equal or match, then authentication module 540 may determine that the integrity of data object 504 has not been compromised that user 104 is authorized to access, update, change, or replace data object 504, or a PIN associated with data object 504, since the PIN provided by user 104 correctly verified the integrity of data object 504. That is, if user 104 enters a wrong pin, the recovered signature provided by PIN management module 516 will not match the signature 544 provided by signature module 508. In this instance, only a PIN 532 that matches PIN 520 will successfully verify the integrity of data object 604. Authentication module 540 may then provide the determination for use by credential 108, PIN pad 112, reader/writer 116 and/or control panel 120 such that a decision in accordance with the authentication module's decision may be made.

Referring now to FIG. 6, details of a one-way PIN concealment process and an associated authentication process are depicted in accordance with at least some embodiments of the present disclosure. The concealment of a user's pin, also known as pin-setting, and the authentication and verification of a user's pin, also known as authenticating and verifying, maybe performed as discussed below. Although details of pin-setting are described first, based on the disclosure provided herein, those of ordinary skill will understand that once a pin-setting process has occurred, the authentication and verification process may occur. Alternatively, or in addition, the authentication and verification process may occur many times after a pin-setting process has occurred. Likewise, as part of a pin-resetting process, the authentication and verification process may occur prior to a pin-setting process.

As previously discussed, details of a pin-setting process are described in accordance with at least some embodiments of the present disclosure. Data object 604 may be the same or similar to data object 416 and may be any data stored in memory 208, 308 requiring authentication. For example, data object 604 may comprise an access control credential, biometric template, and/or rules or rule set for an access decision made within a communication system 100. Data object 604 may further comprise any digital content or media protected by an access control technology, such as an implementation of digital rights management (DRM) to protect audio and/or video files and other multimedia content. Data object 604 may also be an application stored on memory 208, 308, that is to be executed in some manner.

As part of a pin-setting process which conceals a user's pin, a signature or digest 612 of data object 604 is created using signature module 608. Signature module 608 may be the same as or similar to signature module 412. A signature 612 of data object 604 is created and provided to PIN management module 616. PIN management module 616 may be the same as or similar to PIN management module 408 as previously discussed. As part of a pin-setting process, a PIN 620 is received from a user. PIN 620 may be provided via a traditional PIN pad, such as PIN pad 112, or may be provided by other methods as previously discussed. For example, PIN 620 may be provided by a user directly to a control panel, reader/writer, or PIN pad utilizing another communication medium. Once PIN management module 616 receives PIN 620 and signature 612, PIN management module 616 can perform a one-way operation, such as a hash function 624, to create altered signature 628. As previously discussed, examples of a one-way operations include cryptographic hash functions, keyed hash functions, and any other functions that take an input of arbitrary length and produce a message digest, also known as a fingerprint, hash, digital summary, checksum, or signature, that may be used to uniquely identify a data object. The PIN management module 616 may perform the one-way operation, utilizing PIN 620 and the signature 612, thereby creating an altered signature 628. The one-way operation may utilize PIN 620 in a variety of different manners. For example, and as previously discussed, the one-way operation may utilize PIN 620 as a “key” to a keyed hash function. Alternatively, or in addition, the one-way operation may utilize PIN 620 in accordance with a particular salting operation wherein PIN 620 is attached to signature 612 prior to performing the one-way operation. Altered signature 628 may then be stored in a memory, for example memory 632. Once the altered signature 628 is stored, a user's pin, in conjunction with a specified data object, has been set and is concealed.

In instances where a user may want to either gain access to or verify the authenticity of a data object, such as data object 604, an authentication and verification process is invoked. As part of an authentication and verification process, a PIN 636 is received from a user. PIN 636 may be provided via a traditional PIN pad, such as PIN pad 112, or may be provided by other methods as previously discussed. For example, PIN 636 may be provided by a user directly to a control panel, reader/writer, or PIN pad utilizing another communication medium. In some instances, PIN 636 and PIN 620 may be the same or match. In other instances, PIN 636 may not be the same or may not match PIN 620. Once PIN management module 616 receives PIN 636, PIN management module may request that data signature module 608 create another signature 612 of data object 604. PIN management module, utilizing PIN 636 in the same manner as PIN 620 was utilized, creates altered signature 640 utilizing a one-way operation, such as hash function 624. Altered signature 640 is then provided to authentication module 644.

Prior to, during, or before authentication module 644 receives altered signature 640 from PIN management module 616, authentication module 644 may request or receive altered signature 628 from a storage location, such as altered signature storage 632. Authentication module 644 then compares altered signature 640 with altered signature 628. If altered signature 640 and altered signature 628 are equal or match, then authentication module 644 may determine that the integrity of data object 604 has not been compromised that user 104 is authorized to access, update, change, or replace data object 604, or a PIN associated with data object 604, since the PIN provided by user 104 correctly verified the integrity of data object 604. That is, if user 104 enters a wrong pin, the altered signature 640 provided by PIN management module 616 will not match the altered signature 628. In this instance, only a PIN 636 that matches PIN 620 will successfully verify the integrity of data object 604. Authentication module 644 may then provide the determination for use by credential 108, PIN pad 112, reader/writer 116 and/or control panel 120 such that a decision in accordance with the authentication module's decision may be made.

Although signature module 608 is illustrated as a component separate than that of YIN management module 616, in some embodiments, signature module 608 may be included in PIN management module 616; that is, PIN management module 616 may perform the one-way operation directly on data object 604 utilizing PIN 620,636. For example, in instances where the one-way function is a keyed hash function, PIN management module 616 may create altered signature 628,640 utilizing PIN 620, 636 and data object 604. In such an instance, the keyed hash function directly operates utilizing data object 604 and PIN 620, 636.

A method of performing a pin-setting process, in accordance with an embodiment of the present disclosure, will now be described in connection with FIG. 7. Method 700 is in embodiments performed by a device, such as device 108, 112, 116, and 120. More specifically, one or more hardware and software components may be involved in performing method 700. In one embodiment, one or more of the previously described modules perform one or more of the steps of method 700. The method 700 may be executed as a set of computer-executable instructions executed by a computer system and encoded or stored on a computer-readable medium. Hereinafter, the method 700 shall be explained with reference to the systems, components, modules, software, etc. described in conjunction with FIGS. 1-6.

Method 700 is initiated at step 704. Step 704 may start with a user swiping a secure credential across a reader/writer 116; in other embodiments, step 704 may start in another manner. Method 700 may continuously flow in a loop, flow according to a timed event, or flow according to a change in an operating or status parameter. At step 708, a PIN is received. A PIN may be received via a traditional PIN pad, such as PIN pad 112, or may be provided by other methods as previously discussed. For example, a PIN may be provided by a user directly to a control panel, reader/writer, or PIN pad utilizing another communication medium. At step 712, it is determined whether or not a keyed function, as previously described, will be utilized. If a keyed function will be utilized, method 700 transitions to step 740 where a keyed signature is created utilizing a received PIN and the data object, such as data object 604. After a keyed signature is created in step 740, method 700 transitions to step 744 wherein the keyed signature is stored, as previously described. Method 700 then transitions to step 736 where method 700 ends.

In instances where a keyed function will not be utilized, method 700 transitions from step 712 to step 716, where a signature of the data object is created. Method 700 then transitions to step 720, where it is determined whether a one-way operation or a two-way operation will be utilized to conceal the received pin. If a two-way operation will be utilized, method 700 transitions to step 724, wherein the signature of a data object, such as data object 504, is altered utilizing a one-way operation and the received PIN to produce an the altered signature. For example, step 724 may perform an XOR operation, utilizing the signature of the data object and the received pins as operands. Method 700 then transitions to step 728 where the altered signature is stored. Method 700 then transitions to step 736 where method 700 ends.

If a one-way operation will be utilized, method 700 transitions from step 720 to step 732, where the signature of a data object, such as data object 604, is altered utilizing a one-way operation and the received PIN to produce an the altered signature. For example, step 724 may perform a one-way hash on a signature of the data object that has been salted using the received pin. Method 700 then transitions to step 728 where the altered signature is stored. Method 700 then transitions to step 736 where method 700 ends.

A method of performing an authentication and verification process, in accordance with an embodiment of the present disclosure, will now be described in connection with FIG. 8. Method 800 is in embodiments performed by a device, such as device 108, 112, 116, and 120. More specifically, one or more hardware and software components may be involved in performing method 800. In one embodiment, one or more of the previously described modules perform one or more of the steps of method 800. The method 800 may be executed as a set of computer-executable instructions executed by a computer system and encoded or stored on a computer-readable medium. Hereinafter, the method 800 shall be explained with reference to the systems, components, modules, software, etc. described in conjunction with FIGS. 1-6.

Method 800 is initiated at step 804. Step 804 may start with a user swiping a secure credential across a reader/writer 116; in other embodiments, step 804 may start in another manner. Method 800 may continuously flow in a loop, flow according to a timed event, or flow according to a change in an operating or status parameter. At step 808, a PIN is received. A PIN may be received via a traditional PIN pad, such as PIN pad 112, or may be provided by other methods as previously discussed. For example, a PIN may be provided by a user directly to a control panel, reader/writer, or PIN pad utilizing another communication medium. At step 812, it is determined whether or not a keyed function, as previously described, has been utilized to conceal a PIN previously in conjunction with a data object, for example in step 712 and 740. If a keyed function has been utilized, method 800 transitions to step 860 where a keyed signature is created utilizing a received PIN and the data object, such as data object 604. After a keyed signature is created in step 860, the previously stored signature of the data object, created utilizing a keyed hash function, is retrieved at step 864. Method 800 then transitions to step 868 where the retrieved signature of the data object and the signature of the data object create din step 860 are compared. If both signatures match or are equal, it is determined that the data object has not been compromised, and that PIN received in step in 808 is the same PIN that was received in step 708. Method 800 then transitions to step 836 where an event consistent with a correct PIN having been entered is initiated. Method 800 then transitions to step 840 where method 800 ends.

If, on the other hand, the signature retrieved in step 864 is not the same as the signature created in step 860, method 800 may transition back to step 804 where another PIN is received. Alternatively, or in addition, method 800 may transition to step 840 where method 800 ends.

In instances where a keyed function has not been utilized, method 800 transitions from step 812 to step 816, where it is determined whether a one-way operation or a two-way operation was utilized to conceal the PIN in conjunction with the signature of the data object. If a two-way operation was utilized, method 800 transitions to step 820, wherein the altered signature created in step 724 and stored in step 728, is retrieved. Method 800 then transitions to step 824 wherein a two-way function is applied to the retrieved signature of step 820. Method 800 then transitions to step 828 where a signature of the data object is once again created. Next, in step 832, the newly created signature of step 828 is compared to the result of the two-way function in step 824. If, in step 832 the signatures match, it is then determined that the data object has not been compromised and that the PIN received in step 808 is the same PIN that was received in step 708. Method 800 then transitions to step 836 where an event consistent with a correct PIN having been entered is initiated. Method 800 then transitions to step 840 where method 800 ends.

If, on the other hand, the signature created in step 828 does not match the result of the two-way operation in step 824, method 800 may transition back to step 804 where another PIN is received. Alternatively, or in addition, method 800 may transition to step 840 where method 800 ends.

Instead, if a one-way operation was utilized, method 800 transitions to step 844, where the signature of the data object is created. Next, in step 848, a one-way operation is performed utilizing the signature of the data object created in step 844 and the received PIN to produce an altered signature. The altered signature created in step 732 and stored in step 728, is retrieved. Method 800 then transitions to step 856 where the newly created signature of step 848 is compared to the retrieved signature in step 852. If, in step 856 the signatures match, it is then determined that the data object has not been compromised and that the PIN received in step 808 is the same PIN that was received in step 708. Method 800 then transitions to step 836 where an event consistent with a correct PIN having been entered is initiated. Method 800 then transitions to step 840 where method 800 ends.

If, on the other hand, the altered signature created in step 848 does not match the retrieve signature in step 852, method 800 may transition back to step 804 where another PIN is received. Alternatively, or in addition, method 800 may transition to step 840 where method 800 ends.

In the foregoing description, for the purposes of illustration, methods were described in a particular order. It should be appreciated that in alternate embodiments, the methods may be performed in a different order than that described. It should also be appreciated that the methods described above may be performed by hardware components or may be embodied in sequences of machine-executable instructions, which may be used to cause a machine, such as a general-purpose or special-purpose processor or logic circuits programmed with the instructions to perform the methods. These machine-executable instructions may be stored on one or more machine readable mediums, such as CD-ROMs or other type of optical disks, floppy diskettes, ROMs, RAMs, EPROMs, EEPROMs, magnetic or optical cards, flash memory, or other types of machine-readable mediums suitable for storing electronic instructions. Alternatively, the methods may be performed by a combination of hardware and software.

Specific details were given in the description to provide a thorough understanding of the embodiments. However, it will be understood by one of ordinary skill in the art that the embodiments may be practiced without these specific details. For example, circuits may be shown in block diagrams in order not to obscure the embodiments in unnecessary detail. In other instances, well-known circuits, processes, algorithms, structures, and techniques may be shown without unnecessary detail in order to avoid obscuring the embodiments.

Also, it is noted that the embodiments were described as a process which is depicted as a flowchart, a flow diagram, a data flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process is terminated when its operations are completed, but could have additional steps not included in the figure. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc. When a process corresponds to a function, its termination corresponds to a return of the function to the calling function or the main function.

Furthermore, embodiments may be implemented by hardware, software, firmware, middleware, microcode, hardware description languages, or any combination thereof. When implemented in software, firmware, middleware or microcode, the program code or code segments to perform the necessary tasks may be stored in a machine readable medium such as storage medium. A processor(s) may perform the necessary tasks. A code segment may represent a procedure, a function, a subprogram, a program, a routine, a subroutine, a module, a software package, a class, or any combination of instructions, data structures, or program statements. A code segment may be coupled to another code segment or a hardware circuit by passing and/or receiving information, data, arguments, parameters, or memory contents. Information, arguments, parameters, data, etc. may be passed, forwarded, or transmitted via any suitable means including memory sharing, message passing, token passing, network transmission, etc.

While illustrative embodiments of the invention have been described in detail herein, it is to be understood that the inventive concepts may be otherwise variously embodied and employed, and that the appended claims are intended to be construed to include such variations, except as limited by the prior art. 

What is claimed is:
 1. A method comprising: creating a first representation of a data object; obtaining a personal identification number; altering the first representation of the data object using at least a portion of the obtained personal identification number to create a second representation of the data object; and storing the second representation of the data object.
 2. The method of claim 1, further comprising: obtaining a second personal identification number; altering the second representation of the data object using at least a portion of the obtained second personal identification number to create a third representation of the data object; determining whether the first personal identification number matches the second personal identification number by comparing the third representation of the data object to a fourth representation of the data object; and implementing an action based on determining whether the first personal identification number matches the second personal identification number.
 3. The method of claim 2, wherein the fourth representation of the data object is the same as the first representation of the data object.
 4. The method of claim 2, wherein the fourth representation of the data object is the first representation of the data object.
 5. The method of claim 1, wherein altering the first representation of the data object using at least a portion of the obtained personal identification number to create a second representation of the data object comprises performing a two-way operation on the first representation of the data object
 6. The method of claim 5, wherein altering the second representation of the data object using at least a portion of the second obtained personal identification number to create a third representation of the data object comprises performing a two-way operation on the second representation of the data object; and wherein the altering the first representation of the data and the altering the second representation of the data is performed using the same two-way operation.
 7. The method of claim 6, wherein the two-way operation comprises an XOR operation.
 8. The method of claim 1, further comprising: obtaining a second personal identification number; creating a third representation of the data object; altering the third representation of the data object using at least a portion of the obtained second personal identification number to create a fourth representation of the data object; determining whether the first personal identification number matches the second personal identification number by comparing the third representation of the data object to the fourth representation of the data object; and implementing an action based on determining whether the first personal identification number matches the second personal identification number.
 9. The method of claim 1, wherein altering the first representation of the data object using at least a portion of the obtained personal identification number to create a second representation of the data object comprises performing a one-way operation on the first representation of the data object.
 10. The method of claim 1, further comprising: salting the first representation of the data object with the personal identification number prior to altering the first representation of the data object.
 11. The method of claim 1, wherein the first representation of the data object comprises a data object signature.
 12. The method of claim 1, wherein the personal identification number comprises one or more of alphanumeric characters and numeric characters.
 13. A method comprising: obtaining a personal identification number at a PIN management module; creating, with the PIN management module, a first representation of a data object using at least a portion of the obtained personal identification number; storing the first representation of the data object in memory of a reader; retrieving the first representation of the data object from the memory of the reader; obtaining a second personal identification number; creating a second representation of a data object using at least a portion of the obtained second personal identification number; altering the second representation of the data object using at least a portion of the obtained second personal identification number to create a third representation of the data object; determining whether the first personal identification number matches the second personal identification number by comparing the first representation of the data object to the second representation of the data object; and implementing an action based on determining whether the first personal identification number matches the second personal identification number.
 14. An access control system, comprising: memory including instructions in the form of machine-readable code, the instructions including at least a personal identification management module; a processor, configured to execute the instructions stored in memory; and wherein the personal identification number management module is configured to: receive a first representation of a data object; obtain a personal identification number; and alter the first representation of the data object using at least a portion of the obtained personal identification number to create a second representation of the data object; and store the second representation of the data object.
 15. The system of claim 14, wherein the PIN management module is further configured to: obtain a second personal identification number; alter the second representation of the data object using at least a portion of the obtained second personal identification number to create a third representation of the data object; and wherein the instructions further include an authentication module, the authentication module configured to determine whether the first personal identification number matches the second personal identification number by comparing the third representation of the data object to a fourth representation of the data object, and the authentication module further configured to implement an action based on determining whether the first personal identification number matches the second personal identification number.
 16. The system of claim 15, wherein altering the first representation of the data object using at least a portion of the obtained personal identification number to create a second representation of the data object comprises performing a two-way operation on the first representation of the data object.
 17. The system of claim 16, wherein the two-way operation comprises an XOR operation.
 18. The system of claim 14, wherein the PIN management module is further configured to: obtain a second personal identification number; create a third representation of the data object; alter the third representation of the data object using at least a portion of the obtained second personal identification number to create a fourth representation of the data object; and wherein the instructions further include an authentication module, the authentication module configured to determine whether the first personal identification number matches the second personal identification number by comparing the third representation of the data object to the fourth representation of the data object, and the authentication module further configured to implement an action based on determining whether the first personal identification number matches the second personal identification number.
 19. The system of claim 14, wherein the PIN management module resides on a credential.
 20. The system of claim 18, wherein at least one of the PIN management module and the authentication module reside on a credential; wherein at least one of the PIN management module and the authentication module reside on a reader; and wherein one or more of the PIN management module and the authentication module are operable to detect the presence of the credential in proximity to the reader. 